MSA-19-0002: Blind SSRF Risk in /badges/mybackpack.php

The mybackpack functionality allowed setting the URL of badges, when it should be restricted to the Mozilla Open Badges backpack URL. This resulted in the possibility of blind SSRF via requests made by the page.

MSA-19-0001: Manage groups capability is missing XSS risk flag

The 'manage groups' capability did not have the 'XSS risk' flag assigned to it, but does have that access in certain places. Note that the capability is intended for use by trusted users, and is only assigned to teachers and managers by default.

Moodle-Chile.cl is not affiliated with or endorsed by the Moodle Project. The Moodle name and logo is used under a limited license granted by Moodle.org the trademark holder in the United States and other countries.